CVE-2011-1093

Public on

Last Modified: UTC

ImportantImportant ImpactWhat does this mean?

Insights vulnerability analysis

View exposed systems

Description

The CVE Program describes this issue as:

The dccp_rcv_state_process function in net/dccp/input.c in the Datagram Congestion Control Protocol (DCCP) implementation in the Linux kernel before 2.6.38 does not properly handle packets for a CLOSED endpoint, which allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending a DCCP-Close packet followed by a DCCP-Reset packet.

Statement

This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 4 as it did not include support for the DCCP protocol. Future updates in Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG may address this flaw.

This issue did not affect the version of Linux kernel as shipped with Red Hat Enterprise Linux 4 as it did not include support for the DCCP protocol. Future updates in Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG may address this flaw.

Mitigation

For users that do not run applications that use DCCP, you can prevent the dccp
module from being loaded by adding the following entry to the end of the
/etc/modprobe.d/blacklist file:

blacklist dccp

This way, the dccp module cannot be loaded accidentally, which may occur if an
application that requires DCCP is started. A reboot is not necessary for this
change to take effect but do make sure the module is not loaded in the first
place. You can verify that by running:

lsmod | grep dccp

You may also consider removing the CAP_SYS_MODULE capability from the current
global capability set to prevent kernel modules from being loaded or unloaded.
The CAP_SYS_MODULE has a capability number of 16 (see linux/capability.h). The
default value has all the bits set. To remove this capability, you have to
clear the 16th bit of the default 32-bit value, e.g. 0xffffff ^ (1 << 16):

echo 0xFFFEFFFF > /proc/sys/kernel/cap-bound

Additional information

  • Bugzilla 682954: kernel: dccp: fix oops on Reset after close
  • CWE-672->CWE-476: Operation on a Resource after Expiration or Release leads to NULL Pointer Dereference
  • FAQ: Frequently asked questions about CVE-2011-1093

Common Vulnerability Scoring System (CVSS) Score Details

Important note

CVSS scores for open source components depend on vendor-specific factors (e.g. version or build chain). Therefore, Red Hat's score and impact rating can be different from NVD and other vendors. Red Hat remains the authoritative CVE Naming Authority (CNA) source for its products and services (see Red Hat classifications).

CVSS v2 Score Breakdown
Red HatNVD

CVSS v2 Base Score

7.8

7.8

Attack Vector

Network

Network

Access Complexity

Low

Low

Authentication

None

None

Confidentiality Impact

None

None

Integrity Impact

None

None

Availability Impact

Complete

Complete

CVSS v2 Vector

Red Hat: AV:N/AC:L/Au:N/C:N/I:N/A:C

NVD: AV:N/AC:L/Au:N/C:N/I:N/A:C

Frequently Asked Questions

Why is Red Hat's CVSS v3 score or Impact different from other vendors?

My product is listed as "Under investigation" or "Affected", when will Red Hat release a fix for this vulnerability?

What can I do if my product is listed as "Will not fix"?

What can I do if my product is listed as "Fix deferred"?

What is a mitigation?

I have a Red Hat product but it is not in the above list, is it affected?

Why is my security scanner reporting my product as vulnerable to this vulnerability even though my product version is fixed or not affected?

Want to get errata notifications? Sign up here.